How to prevent spam and fake orders in WooCommerce

The spam can do a lot of damage to your website and especially to e-commerces. No matter what mechanism they use: software, scripts, and tools, the fake orders can cost a lot of money and losses to businesses, and spam not only makes operations more difficult, it can also damage the SEO ranking and credibility of a website. Today we’re gonna learn how to avoid these attacks and getting the best security tools so you don’t have to worry again.

How to prevent spam and fake orders? Let’s see!

Take a look at the basic anti-spam settings

  • Switch off the “Anyone can register” option. You can do it in the General settings option. This only affects the admin side, not WooCommerce registration forms, so you don’t have to worry about it.
  • Uncheck the option “Allow link notifications from other blogs (pingbacks and trackbacks) on new articles”.
  • Make sure you can approve comments before publishing. You can use plugins like Disqus or enable the “Comment author must have a previously approved comment” option.

Create a custom registration page that spam can’t recognize

The common target for the spammers is the “” page. If you create a different page for registration, it will be harder for spammers to get there.

Admin new user approval

With a plugin like Profile Press, you can manually approve the new users from the dashboard or directly from your mail. It adds another duty to your process but if your product is from a specific niche or new, you can start with this step.


As you have surely seen on many websites, CAPTCHA is a system that requires you to act to be able to take the next step, for example, you must select certain images according to the instructions, type a code or perform a mathematical operation. It makes the process slightly slower for the user but it is a way to verify that there is a human behind the operation.

Install an anti-spam plugin

Maybe you need more than one security plugin, take a look:


This plugin helps you preventing fake orders and blacklisting fraud customers of your store. Blocker allows users to refuse orders from specific IP address, State, and Zipcode. You could specify your blacklist. If the user is blacklisted, the checkout or account will be interrupted and the user will be notified of the reason why the operation was blocked.


This is one of the most famous anti-spam plugins. Akismet automatically filters the spam comments and checks it against a global database, protecting your website from malicious content. Once you activate this plugin, you’ll be prompted to get an API key to use it. Keys are free for personal blogs, paid subscriptions are for businesses and commercial sites.

WooCommerce Wholesale Lead Capture

This plugin is useful for managing registration and login forms on your WooCommerce, but it has a honeypot spam protection feature that is important in this case and you won’t have to install another plugin for that.

Honeypot Contact Form 7

This addition to Contact Form 7 avoids having to put a Captcha but maintains anti-spam functions against bots in forms and shopping carts, avoiding false orders and malicious content.


With this plugin, your user will only need to click the checkbox in the reCAPTCHA tool created by Google. It’s easier than CAPTCHA, which requires typing numbers, answer questions or solving math problems. It also autodetects the user’s language.


This tool protects the WooCommerce from advertising fraud, order fraud, and performance issues. NS8 scores every user, traffic and orders and detect patterns and identify the potential risk of fraud and spam.

It also monitors if your SSL certificate is set to expire, your domain is added to a spam list, your website is flagged for malware concerns, a portion of your website fails to load, or your load performance drops against the global average.

Fake customer blocker

This is a security add-on for WooCommerce, it helps you to block emails, domains, new orders with errors or notices, fake orders and also you can show the users why they can’t order, customizing every message.

Limit attempts

This IP Adress blocker is very effective in avoiding spam and brute force attacks, which are repeated attempts of access, directed by some software, that can damage your website. You can add and block IP addresses; hide login, register, lost password forms for blocked or blacklisted IPs and customize the error messages.


This plugin blocks automatic spam in the comments section and needs no captcha. You can also convert spam comments in regular comments. It’s GDPR compliant so it doesn’t store unnecessary information about the user.

This plugin uses an “invisible js-captcha” method based on the fact that bots don’t have javascript on their user-agents. How does it work? An extra hidden field is added to the comments form, it’s the question about the current year. If the user visits the website, this field is answered automatically with javascript, is hidden by javascript and CSS and invisible for the user. If the spammer will fill year-field incorrectly the comment will be blocked because it’s spam.

If you use Gravity Forms

Go to Options and check “Enable anti-spam honeypot”. It’s disabled by default.

Call the customer

Even if it’s kinda invasive but if your products are more like services (assessments, ebooks, online courses) you can call the customer and take to chance to talk before the purchase and know the expectations, sell another product, etc.

Some e-learnings like Open English use this method. Platforms like UpWork also call their postulants and interview them before accepting their profiles.

Verify the CVV code of the credit card

The CVV code is the 3 number code behind the credit card and must match with the registered card and if not, it can be a fraud. It’s an extended verification method because is effective.

User email confirmation

You can use some tools or plugins so that the user must confirm their registration by clicking on a link sent to their email. Users who have not clicked can be pending and can be manually reviewed and approved. It is one of the safest methods because spammers don’t always get to that point.

Confirm before shipping

You can confirm via mail, text message or phone call with the client. It will be useful not only for you to prevent fake orders, but it can also be a gesture of responsibility with your clients.

Verify the address

Hire some AVS system. What is that? The Address Verification Service, or AVS, compares the billing address the user registered in the transaction with the address provided to the bank from the cardholder. This isn’t a bulletproof measure but it helps a lot to collate the data and avoid returns or losses.

Preventing spam on the comments you can keep your website clean of irrelevant or potentially harmful content for you and your users. By preventing spam emails or registrations you can concentrate on what matters: Convert!